Cross-site Scripting (XSS) - Stored in bytefury/crater

Valid

Reported on

Apr 25th 2021

✍️ Description

Stored xss using customer billing address

🕵️‍♂️ Proof of Concept

  1. First goto demo app https://demo.craterapp.com/admin/customers/create and create a customer . During creation put bellow xss payload in billing address field and save it . Now see xss is executed

payload --> xss"'><img src=x onerror=alert(document.domain)> #VIDEO Poc --> https://drive.google.com/file/d/1_QnM43laQX2_YnOdscUCFwguz0MUR-8y/view?usp=sharing

💥 Impact

XSS

Mohit Panjwani marked this as fixed in 5.0.0 with commit 3a1f5a a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation